CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In December 2003

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
301 CVE-2003-1262 DoS Exec Code Overflow 2003-12-31 2016-10-18
6.4
None Remote Low Not required None Partial Partial
Buffer overflow in the http_fetch function of HTTP Fetcher 1.0.0 and 1.0.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a URL request via a long (1) host, (2) referer, or (3) userAgent value.
302 CVE-2003-1261 DoS Overflow 2003-12-31 2008-09-05
2.1
None Local Low Not required None None Partial
Buffer overflow in CuteFTP 5.0 and 5.0.1 allows local users to cause a denial of service (crash) by copying a long URL into a clipboard.
303 CVE-2003-1260 Exec Code Overflow 2003-12-31 2008-09-05
7.6
None Remote High Not required Complete Complete Complete
Buffer overflow in CuteFTP 5.0 allows remote attackers to execute arbitrary code via a long response to a LIST command.
304 CVE-2003-1259 DoS Exec Code Overflow 2003-12-31 2008-09-05
7.5
None Remote Low Not required Partial Partial Partial
Buffer overflow in CuteFTP 4.2 and 5.0 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long FTP server banner.
305 CVE-2003-1258 2003-12-31 2008-09-05
7.5
None Remote Low Not required Partial Partial Partial
activate.php in versatileBulletinBoard (vBB) 0.9.5 and 0.9.6 allows remote attackers to gain unauthorized administrative access via a URL request with the uid parameter set to the webmaster uid.
306 CVE-2003-1257 +Info 2003-12-31 2008-09-05
5.0
None Remote Low Not required Partial None None
find_theni_home.php in E-theni allows remote attackers to obtain sensitive system information via a URL request which executes phpinfo.
307 CVE-2003-1256 Exec Code 2003-12-31 2008-09-05
6.8
None Remote Medium Not required Partial Partial Partial
aff_liste_langue.php in E-theni allows remote attackers to execute arbitrary PHP code by modifying the rep_include parameter to reference a URL on a remote web server that contains para_langue.php.
308 CVE-2003-1255 2003-12-31 2017-07-11
6.4
None Remote Low Not required Partial Partial None
add_bookmark.php in Active PHP Bookmarks (APB) 1.1.01 allows remote attackers to add arbitrary bookmarks as other users using a modified auth_user_id parameter.
309 CVE-2003-1254 Exec Code 2003-12-31 2008-09-05
5.0
None Remote Low Not required None Partial None
Active PHP Bookmarks (APB) 1.1.01 allows remote attackers to execute arbitrary PHP code via (1) head.php, (2) apb_common.php, or (3) apb_view_class.php by modifying the APB_SETTINGS parameter to reference a URL on a remote web server that contains the code.
310 CVE-2003-1253 94 Exec Code File Inclusion 2003-12-31 2008-09-05
7.5
None Remote Low Not required Partial Partial Partial
PHP remote file inclusion vulnerability in Bookmark4U 1.8.3 allows remote attackers to execute arbitrary PHP code viaa URL in the prefix parameter to (1) dbase.php, (2) config.php, or (3) common.load.php.
311 CVE-2003-1252 Exec Code 2003-12-31 2008-09-05
7.5
None Remote Low Not required Partial Partial Partial
register.php in S8Forum 3.0 allows remote attackers to execute arbitrary PHP commands by creating a user whose name ends in a .php extension and entering the desired commands into the E-mail field, which creates a web-accessible .php file that can be called by the attacker, as demonstrated using a "system($cmd)" E-mail address with a "any_name.php" username.
312 CVE-2003-1251 Exec Code 2003-12-31 2008-09-05
7.5
None Remote Low Not required Partial Partial Partial
The (1) menu.inc.php, (2) datasets.php and (3) mass_operations.inc.php (mistakenly referred to as mass_opeations.inc.php) scripts in N/X 2002 allow remote attackers to execute arbitrary PHP code via a c_path that references a URL on a remote web server that contains the code.
313 CVE-2003-1250 DoS 2003-12-31 2008-09-05
5.0
None Remote Low Not required None None Partial
Efficient Networks 5861 DSL router, when running firmware 5.3.80 configured to block incoming TCP SYN, packets allows remote attackers to cause a denial of service (crash) via a flood of TCP SYN packets to the WAN interface using a port scanner such as nmap.
314 CVE-2003-1249 2003-12-31 2008-09-05
7.5
None Remote Low Not required Partial Partial Partial
WebIntelligence 2.7.1 uses guessable user session cookies, which allows remote attackers to hijack sessions.
315 CVE-2003-1248 Exec Code 2003-12-31 2008-09-05
7.5
None Remote Low Not required Partial Partial Partial
H-Sphere WebShell 2.3 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) mode and (2) zipfile parameters in a URL request.
316 CVE-2003-1247 Exec Code Overflow 2003-12-31 2008-09-05
7.5
None Remote Low Not required Partial Partial Partial
Multiple buffer overflows in H-Sphere WebShell 2.3 allow remote attackers to execute arbitrary code via (1) a long URL content type in CGI::readFile, (2) a long path in diskusage, and (3) a long fname in flist.
317 CVE-2003-1246 2003-12-31 2008-09-05
2.1
None Local Low Not required None Partial None
NtCreateSymbolicLinkObject in ntdll.dll in Integrity Protection Driver (IPD) 1.2 and 1.3 allows local users to create and overwrite arbitrary files via a symlink attack on \winnt\system32\drivers using the subst command.
318 CVE-2003-1245 2003-12-31 2017-07-11
10.0
None Remote Low Not required Complete Complete Complete
index2.php in Mambo 4.0.12 allows remote attackers to gain administrator access via a URL request where session_id is set to the MD5 hash of a session cookie.
319 CVE-2003-1244 89 Sql 2003-12-31 2008-09-05
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in page_header.php in phpBB 2.0, 2.0.1 and 2.0.2 allows remote attackers to brute force user passwords and possibly gain unauthorized access to forums via the forum_id parameter to index.php.
320 CVE-2003-1243 XSS 2003-12-31 2017-07-11
4.3
None Remote Medium Not required None Partial None
Cross-site scripting vulnerability (XSS) in Sage 1.0 b3 allows remote attackers to insert arbitrary HTML or web script via the mod parameter.
321 CVE-2003-1242 2003-12-31 2008-09-05
5.0
None Remote Low Not required Partial None None
Sage 1.0 b3 allows remote attackers to obtain the root web server path via a URL request for a non-existent module, which returns the path in an error message.
322 CVE-2003-1241 Exec Code XSS 2003-12-31 2008-09-05
4.3
None Remote Medium Not required None Partial None
Cross-site scripting vulnerability (XSS) in (1) admin_index.php, (2) admin_pass.php, (3) admin_modif.php, and (4) admin_suppr.php in MyGuestbook 3.0 allows remote attackers to execute arbitrary PHP code by modifying the location parameter to reference a URL on a remote web server that contains file.php via script injected into the pseudo, email, and message parameters.
323 CVE-2003-1240 94 Exec Code File Inclusion 2003-12-31 2008-09-05
7.5
None Remote Low Not required Partial Partial Partial
PHP remote file inclusion vulnerability in CuteNews 0.88 allows remote attackers to execute arbitrary PHP code via a URL in the cutepath parameter in (1) shownews.php, (2) search.php, or (3) comments.php.
324 CVE-2003-1239 Dir. Trav. 2003-12-31 2008-09-05
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in sendphoto.php in WihPhoto 0.86 allows remote attackers to read arbitrary files via .. specifiers in the album parameter, and the target filename in the pic parameter.
325 CVE-2003-1238 XSS 2003-12-31 2008-09-05
5.8
None Remote Medium Not required Partial Partial None
Cross-site scripting vulnerability (XSS) in Nuked-Klan 1.3 beta and earlier allows remote attackers to steal authentication information via cookies by injecting arbitrary HTML or script into op of the (1) Team, (2) News, and (3) Liens modules.
326 CVE-2003-1237 XSS 2003-12-31 2008-09-05
4.3
None Remote Medium Not required None Partial None
Cross-site scripting vulnerability (XSS) in WWWBoard 2.0A2.1 and earlier allows remote attackers to inject arbitrary HTML or web script via a message post.
327 CVE-2003-1236 Exec Code 2003-12-31 2008-09-05
10.0
None Remote Low Not required Complete Complete Complete
Multiple format string vulnerabilities in the logger function in netzio.c for Tanne 0.6.17 allows remote attackers to execute arbitrary code via format string specifiers in syslog.
328 CVE-2003-1235 +Info 2003-12-31 2008-09-05
5.0
None Remote Low Not required Partial None None
BRW WebWeaver 1.03 allows remote attackers to obtain sensitive server environment information via a URL request for testcgi.exe, which lists the values of environment variables and the current working directory.
329 CVE-2003-1234 DoS Exec Code Overflow 2003-12-31 2018-10-19
3.6
None Local Low Not required None Partial Partial
Integer overflow in the f_count counter in FreeBSD before 4.2 through 5.0 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via multiple calls to (1) fpathconf and (2) lseek, which do not properly decrement f_count through a call to fdrop.
330 CVE-2003-1233 Bypass 2003-12-31 2017-07-11
2.1
None Local Low Not required None Partial None
Pedestal Software Integrity Protection Driver (IPD) 1.3 and earlier allows privileged attackers, such as rootkits, to bypass file access restrictions to the Windows kernel by using the NtCreateSymbolicLinkObject function to create a symbolic link to (1) \Device\PhysicalMemory or (2) to a drive letter using the subst command.
331 CVE-2003-1232 Exec Code 2003-12-31 2011-03-08
5.1
None Remote High Not required Partial Partial Partial
Emacs 21.2.1 does not prompt or warn the user before executing Lisp code in the local variables section of a text file, which allows user-assisted attackers to execute arbitrary commands, as demonstrated using the mode-name variable.
332 CVE-2003-1231 XSS 2003-12-31 2017-07-11
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in index.php in ECW-Shop 5.5 allows remote attackers to inject arbitrary web script or HTML via the cat parameter.
333 CVE-2003-1230 2003-12-31 2017-07-11
6.4
None Remote Low Not required Partial Partial None
The implementation of SYN cookies (syncookies) in FreeBSD 4.5 through 5.0-RELEASE-p3 uses only 32-bit internal keys when generating syncookies, which makes it easier for remote attackers to conduct brute force ISN guessing attacks and spoof legitimate traffic.
334 CVE-2003-1229 2003-12-31 2017-10-11
7.5
None Remote Low Not required Partial Partial Partial
X509TrustManager in (1) Java Secure Socket Extension (JSSE) in SDK and JRE 1.4.0 through 1.4.0_01, (2) JSSE before 1.0.3, (3) Java Plug-in SDK and JRE 1.3.0 through 1.4.1, and (4) Java Web Start 1.0 through 1.2 incorrectly calls the isClientTrusted method when determining server trust, which results in improper validation of digital certificate and allows remote attackers to (1) falsely authenticate peers for SSL or (2) incorrectly validate signed JAR files.
335 CVE-2003-1228 120 DoS Exec Code Overflow 2003-12-31 2021-06-01
7.5
None Remote Low Not required Partial Partial Partial
Buffer overflow in the prepare_reply function in request.c for Mathopd 1.2 through 1.5b13, and possibly earlier versions, allows remote attackers to cause a denial of service (server crash) and possibly execute arbitrary code via an HTTP request with a long path.
336 CVE-2003-1227 94 2003-12-31 2017-07-11
7.5
None Remote Low Not required Partial Partial Partial
PHP remote file include vulnerability in index.php for Gallery 1.4 and 1.4-pl1, when running on Windows or in Configuration mode on Unix, allows remote attackers to inject arbitrary PHP code via a URL in the GALLERY_BASEDIR parameter, a different vulnerability than CVE-2002-1412. NOTE: this issue might be exploitable only during installation, or if the administrator has not run a security script after installation.
337 CVE-2003-1226 2003-12-31 2008-09-10
2.1
None Local Low Not required Partial None None
BEA WebLogic Server and Express 7.0 and 7.0.0.1 stores certain secrets concerning password encryption insecurely in config.xml, filerealm.properties, and weblogic-rar.xml, which allows local users to learn those secrets and decrypt passwords.
338 CVE-2003-1225 2003-12-31 2008-09-10
2.1
None Local Low Not required Partial None None
The default CredentialMapper for BEA WebLogic Server and Express 7.0 and 7.0.0.1 stores passwords in cleartext on disk, which allows local users to extract passwords.
339 CVE-2003-1224 2003-12-31 2008-09-10
2.1
None Local Low Not required Partial None None
Weblogic.admin for BEA WebLogic Server and Express 7.0 and 7.0.0.1 displays the JDBCConnectionPoolRuntimeMBean password to the screen in cleartext, which allows attackers to read a user's password by physically observing ("shoulder surfing") the screen.
340 CVE-2003-1223 DoS 2003-12-31 2008-09-10
5.0
None Remote Low Not required None None Partial
The Node Manager for BEA WebLogic Express and Server 6.1 through 8.1 SP 1 allows remote attackers to cause a denial of service (Node Manager crash) via malformed data to the Node Manager's port, as demonstrated by nmap.
341 CVE-2003-1222 2003-12-31 2008-09-10
5.0
None Remote Low Not required Partial None None
BEA Weblogic Express and Server 8.0 through 8.1 SP 1, when using a foreign Java Message Service (JMS) provider, echoes the password for the foreign provider to the console and stores it in cleartext in config.xml, which could allow attackers to obtain the password.
342 CVE-2003-1221 2003-12-31 2008-09-10
5.0
None Remote Low Not required None Partial None
BEA WebLogic Express and Server 7.0 through 8.1 SP 1, under certain circumstances when a request to use T3 over SSL (t3s) is made to the insecure T3 port, may use a non-SSL connection for the communication, which could allow attackers to sniff sessions.
343 CVE-2003-1220 DoS 2003-12-31 2008-09-10
5.0
None Remote Low Not required None None Partial
BEA WebLogic Server proxy plugin for BEA Weblogic Express and Server 6.1 through 8.1 SP 1 allows remote attackers to cause a denial of service (proxy plugin crash) via a malformed URL.
344 CVE-2003-1219 XSS 2003-12-31 2012-12-13
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the tep_href_link function in html_output.php for osCommerce before 2.2-MS3 allows remote attackers to inject arbitrary web script or HTML via the osCsid parameter.
345 CVE-2003-1215 Sql 2003-12-29 2017-07-11
4.6
None Local Low Not required Partial Partial Partial
SQL injection vulnerability in groupcp.php for phpBB 2.0.6 and earlier allows group moderators to perform unauthorized activities via the sql_in parameter.
346 CVE-2003-1213 +Info 2003-12-31 2017-07-11
7.5
None Remote Low Not required Partial Partial Partial
The default installation of MaxWebPortal 1.30 stores the portal database under the web document root with insecure access control, which allows remote attackers to obtain sensitive information via a direct request to database/db2000.mdb.
347 CVE-2003-1212 2003-12-31 2017-07-11
7.5
None Remote Low Not required Partial Partial Partial
MaxWebPortal 1.30 allows remote attackers to perform unauthorized actions by modifying hidden form fields, such as the (1) news, (2) lock, or (3) allmem fields in the 'start new topic' HTML page.
348 CVE-2003-1211 XSS 2003-12-31 2017-07-11
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in search.asp for MaxWebPortal 1.30 and possibly earlier versions allows remote attackers to inject arbitrary web script or HTML via the Search parameter.
349 CVE-2003-1210 Exec Code Sql 2003-12-31 2017-07-11
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in the Downloads module for PHP-Nuke 5.x through 6.5 allow remote attackers to execute arbitrary SQL commands via the (1) lid parameter to the getit function or the (2) min parameter to the search function.
350 CVE-2003-1209 20 DoS 2003-12-31 2020-03-26
5.0
None Remote Low Not required None None Partial
The Post_Method function in Monkey HTTP Daemon before 0.6.2 allows remote attackers to cause a denial of service (crash) via a POST request without a Content-Type header.
Total number of vulnerabilities : 507   Page : 1 2 3 4 5 6 7 (This Page)8 9 10 11
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.